The management of the access to conditional data is well known and has been practiced since a long time particularly in the Pay-TV field.
The user has a decoder for decrypting the encrypted stream by means of keys that are associated to subscription or rights. These keys are generally preferably stored in a removable security module in order to allow the evolution of the functions offered as well as the security.
Most decoders, once the data stream has been decrypted, convert this data into an analogue form to be processed by a visualization device, such as a television screen.
The advent of digital screens has somehow disrupted this scheme. In fact, since the decoder output towards the display is digital, this output can be used in a fraudulent way to produce illegal copies.
For this reason, before digital displays and more generally any apparatus processing this type of data in digital form, such as digital recorders, become widely used, solutions have been proposed with the aim of preventing the dissemination of conditional access data.
Thus, an end-to-end protection of the content has been proposed in order to maintain the content in an encrypted form until it reaches the restitution device (a television set for example).
A source such as a decoder or a DVD reader processes the encrypted content and authorizes access as long as the conditions are fulfilled (according to the user's subscription, for example). The content, before being sent to the user's local network, is encrypted again according to a key associated to this network, so that it can only be accessible in this network. Any use outside this network is impossible given that the key is unique for each domestic network.
The concept of domestic network, although defined in relation to a user, can be vague since a neighbor can easily connect to the same network and thus dispose of the same network key. For this reason the simplest solution is to limit the number of people forming a local network.
To use this type of secure local network, each device must have a security module containing the secret pertaining to this network. These modules are in general either in the form of a removable smart card or a security module directly mounted in the apparatus.
According to a first known solution, this limitation concept has been implemented by the transmission of a parent capacity belonging to the network. For the installation of a local network, a first module contains or is capable of generating the key that serves as a common point in this network. Once this first module has generated a first key, it becomes a parent module and can function on its own. If another module appears in the same network, this parent capacity is transmitted to this second module, allowing the latter to be a part of the same network. The first module loses its parent capacity and this ability is transferred to the second module. Of course, other parameters, such as the number of future modules participating in this network, are also decremented and stored in the new generator module.
The move of the parent capacity meets security criteria because one module can only introduce one other module into the same network. Nevertheless this solution presents certain problems, since the chain can be interrupted through ignorance of the principle, in the case that a user separates one of the elements that precisely had become the parent module. Furthermore, if the apparatus in which this module is present were damaged, the user would take it to a point of sale and exchange it for another apparatus, which results in the interruption of the possibility of extending this network.
The document WO01/67705 describes a system for a secure transfer of data and data management on the Internet network comprising a data transfer and encryption module in a user unit, and a data management module in a server unit. The data transfer is carried out through the moving of the data from a window displayed on a screen associated to the user unit from or to a window associated to the server unit. Each window is associated with a password in such a way that the moving of the data from a window to the other causes the encryption or the re-encryption from one associated password to the other. The system uses symmetric key encryption coupled with the file transfer protocol and allows a secure transfer of large data files which size is 100 Megabytes or more. This data transfer from the server unit to the user unit or vice versa can be carried out an unlimited number of times independently of the network and of the units' locations on the network.